StateScoop Q&A: Michigan CISO Dan Lohrmann

Michigan Chief Information Security Officer Dan Lohrmann sat down with StateScoop and discussed his career, the dynamics of cyber attacks on the state, how his office is working to educate employees to stay safe and private sector collaboration.

You have a great, diverse background. For those not familiar with you, can you give us a quick course in “Dan Lohrmann 101″ and how you got to where you are today?

I was very fortunate to begin my career at the National Security Agency near Washington, D.C. I learned so much about security and TCP/IP interoperability in those early years – as I was focusing on global Department of Defense networks before we even had a (public) Internet. I also got my masters degree in Computer Science from Johns Hopkins.

In 1991, I moved to England with my wife and daughter, where I worked for Lockheed Martin (formerly Loral Aerospace) as a senior network engineer designing FDDI networks and more. In 1993, when ManTech won the US/UK military base support contract, I became director over a Network Management Group that grew from 20 to 40 staff. I also learned quite a bit about contracting and bidding on government proposals in those years.

In 1997, we moved to Michigan due to some extended family situations. I started as CIO for the Department of Management & Budget, with a primary focus on Y2K. After 2000, I moved over to help launch Michigan.gov as the State’s first unified web portal as Chief Technology Executive (functioning CTO) for e-Michigan.

But after 9/11, things changed a lot in state government. Michigan centralized all IT into one department, and I became the first Chief Information Security Officer (CISO) over cybersecurity staff and resources. I led that group for almost seven years, and we did many ground-breaking things. In 2009, after our State CTO left for the private sector, I was selected as CTO and deputy director of all infrastructure (about 750 staff including data centers, help desk, technical support, field services, desktop automation, telecommunications, etc.).

In 2011, after Governor Snyder was elected, I moved back as Chief Security Officer in a new group over both physical and cybersecurity. The Governor saw the great need and had a vision for quick action. You can read our plan at www.Michigan.gov/cybersecurity.

Overall, I’ve been very blessed to work in this field over the past 25+ years.

Can you give an overview of the level and nature of attacks you’re dealing with?

The state of Michigan government faces a barrage of unauthorized attempts to access our networks and systems each and every day. During 2012, we removed over 31 million pieces of malware from incoming emails, stopped over 142 million website attacks and blocked over 24 million network scans. The threat is real – we see it daily in Michigan, as does every other state in the nation.

We also see most of the same security as other major corporations, from insider threat to phishing scams, to mobile malware threats.

What are the top security “mistakes” you confront that cause vulnerabilities?

Wow. There’s so many areas that we see, and you can put them under the traditional categories of people, process and technology.

On the people side, we continue to have staff click on scams and do things that are not smart. From reusing passwords to cutting corners (in order to get around controls) to thinking that they are invincible, our employees are the greatest asset and greatest vulnerabilities.

On the process side, I would say our coding still leaves too many vulnerabilities. I’m talking about both internal staff as well as contractors and even buying off the shelf software or major system development (via RFPs) that is full of security holes/bugs.

As far as technology goes, most readers will know that the bad guys always seem to be one step ahead on the good guys. Microsoft (and other vendors) claimed that we would have ‘secure by default’ a decade ago, but we’re not there yet. Our security tools and overall delivery of technology is still being delivered insecure. I think there are many reasons for this, but most users still value ease of use and functionality over security – so security teams and tools are left to patch new holes.

What processes are you taking to educate or protect state employees on security?

In the past, Michigan developed training that quickly became outdated, boring, and, quite frankly, a failure. We learned from our mistakes and now offer new online statewide Cyber Awareness Training 2.0 for all employees. Brief, interactive lessons are delivered to all employees over the web that are relevant, timely and, I must say, even ‘fun’ activities for the users. Feedback thus far has been overwhelmingly positive, with employees praising the new approach and even sharing the information with family members at home. We’ve rolled this out to over 52,000 employees in state and local government – including our courts and legislature staff.

And let’s not forget technical training for our cybersecurity staff. In 2012, partnering with Merit Network, we launched the Michigan Cyber Range. This state-of-the-art training, research and testing facility provides a secure environment for cyber response training, cyber defense scenario testing, and the latest in technical training for cybersecurity staff in the public and private sectors.

What are the mobile security issues you’re dealing with, and how does it impact moving forward on implementing policies such as “bring your own device” and telework?

I think mobile is the next big frontier, and our biggest challenge has been to just try and stay in front of our users – which we are struggling with now. The iPads and iPhones and Droids came in faster than we were ready for, and we didn’t have mobile device management in place. We issued an RFP, and now we have selected Fiberlink for MDM. We are rolling that out, and it will support both state-owned devices and BYOD.

Getting those policies in place has been a huge culture shift for us, but we have finally turned the corner, I think. Nevertheless, I am sure that more mobile challenges and malware are coming.

The White House recently issued a cybersecurity executive order calling for more public-private sector collaboration. How are you working with the private sector on security issues?

I’ve been working with FBI-InfraGard program since 2004, and I was Michigan president and held other offices as well. I highly recommend that government leaders get involved with this program. This is a public / private partnership working many critical infrastructure issues.

We also have created a CSO “Kitchen Cabinet” which meets monthly with private sector CISOs from around the state on a variety of topics, including information sharing. In partnership with these private sector companies who own and operate Michigan’s critical infrastructure, Michigan is developing a Cyber Disruption Response Plan to map out a clear communication strategy and the necessary actions following a major cyber incident.

I have been very fortunate to work closely with DHS and many technology companies since about 2004 on a long list of public / private initiatives with the Information Technology Government and Sector Coordinating Councils (IT-SCC and IT-GCC). These groups meet regularly in DC. I helped review drafts on a long list of ground-breaking documents. These include the National Infrastructure Protection Plan (NIPP), Sector-Specific Plans, Internet Disruption Working Group Plans, Cross-Sector Coordination of cyber issues and more.

It’s an honor to be a part of a group of cyber experts who work closely with national leaders in cybersecurity.